Description
Summary
A reflection XSS vulnerability has been found in YzmCMS V7.1. The vulnerability exists in yzmphp/core/class/application.class.php , when logged-in users access to a malicious link, the Cookie will be an attacker to obtain.
Details
We can see that in message.tpl, $gourl is concatenated directly into the meta tag. And there's no filtering.

Note that the htmlspecialchars function is already used in the code, but it is not comprehensive.
The developer is trying to filter HTTP_REFERER when gourl is not empty. However, if $gourl is not empty, it will be used directly for output without the htmlspecialchars function, resulting in an XSS attack.

We can assign a value via the referer to make the gourl variable not empty.
The final payload is http://your-ip/member/index/login.html?username=123&password=123&referer=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Proof of Concept (POC)
http://your-ip/member/index/login.html?username=123&password=123&referer=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E